Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

Avast - Java:CVE-2012-0507-CH [Expl]

Avira - EXP/JAVA.Jovab.Gen

Drweb - Exploit.CVE2012-0507.9

Gdata - Java:CVE-2012-0507-CH

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Virus Characteristics

“Downloader-BCS!v ” is for Java applets that are written with malicious intention to
Downloads other payloads and execute them without user consent. The applet malware exploits a Java Runtime Vulnerability as explained in exploit CVE-2012-0507.

The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

This vulnerability is triggered due to the way error objects are handled by the vulnerable JavaScript engine. Normally Java Script Engines ensure that it executes only trusted code within the Java Runtime Environment as opposed to untrusted Applet code.

The exploit first creates an error object which the vulnerable Java Script Engine cannot handle, and then it executes a script that disables the Java Security Manager using the "toString" method. It then throws an Exception and proceeds further and calls with the malicious class file to execute the arbitrary code.

In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.

The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.

The JAR file contains class files in the vmcsvpjjhjwaeckbklw package which triggers the Vulnerability

bhppjvkrghmblnwr.class (Vulnerability triggering class file)

hknhpfcmfnrgjewstwmvjb.class (Class Loader)

cktewjlmbdmd.class(Disable Java Security Manager)

huwvqvenwr.class(Payload downloader) (Detected as Downloader-BCS!v)

acqalhmf.class (Applet class)

Upon execution, the Trojan attempts to affects the vulnerability in Java Runtime Environment (JRE).

The arbitrary file is a URL is to create a java.net.URL object, then call its openStream() method. The method handles the details of creating the connection, issuing an HTTP GET request, and retrieving the response data.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).